Fortinet black logo

User Guide

Home FortiPortal 5.3.6 User Guide
5.3.6
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0

Configuring VPNs

Configuring VPNs

Use the VPN area to configure IPSec phase 1 and phase 2. You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

In this area, the following actions are available:

  • Show x Entries—use the drop-down menu to set the number of entries to display
  • Search—enter text to search for in the table
  • Create New—configure the IPSec phase 1 or the IPSec phase 2
  • Edit—change an existing IPSec phase-1 or IPSec phase-2 configuration
  • Delete—delete an IPSec phase-1 or IPSec phase-2 configuration

Creating an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
  4. Select Save.

Updating an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Edit.
  3. Update the values that have changed.
  4. Select Save.

Deleting an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Delete.

IPSec phase-1 fields

The Create New IPSec Phase1 and Edit IPSec Phase1 forms contain the following fields:

Settings

Guidelines

Gateway Name

Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

Comments

Type an optional description. The value is a string with a maximum of 255 characters.

Remote Gateway

Required. Select Static IP Address, Dialup user, or Dynamic DNS.

IP Address

Required if you select Static IP Address. Type the IPv4 address.

Dynamic DNS

Required if you select Dynamic DNS. Type the fully qualified domain name.

Local Interface

Required. Select an interface from the drop-down list or select any.

Mode

Required. Select Main or Aggressive for the phase-1 mode.

Authentication Method

Required. Select Pre-shared Key or Signature for the authentication method.

Pre-shared Key

If Pre-shared Key is selected, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

User Group

If Pre-shared Key is selected, this field is available but optional. Enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers.

Certificate Name

If Signature is selected, this field is available but optional. Select a certificate from the drop-down list.

Peer Options

If Signature is selected, this field is available but optional. Select Any peer id or One peer id.

peer id

If One peer id is selected, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

Advanced...(XAUTH, NAT-traversal, DPD)

Local Gateway IP

Select Specify or Main Interface IP. If you select Specify, type the IPv4 address in the field.

P1 Proposal

Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

Diffie-Hellman Groups

Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

Key Life

Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172800 seconds. The default is 86400.

Local ID

A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID uniquely identifies one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. Type a string with a maximum of 63 characters.

XAuth

Select Disable or Client for the XAUTH type. The default is Disable.

NAT-traversal

Select Disable, Enable, or Forced. The default is Enable.

Keep Alive Frequency

If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds). The default is 10. The value range is 10-900.

Dead Peer Detection

Select Disable, On Idle, or On Demand.

IPSec phase-2 fields

The Create New IPSec Phase2 and Edit IPSec Phase2 forms contain the following fields:

Settings

Guidelines

Tunnel Name

Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

Phase 1

Required. Select an IPSec Phase-1 configuration.

Advanced

P2 Proposal

Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

Replay Detection

Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. The default is selected.

Perfect forward secrecy (PFS)

Select to enable or disable perfect forward secrecy (PFS). Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever the key life expires. The default is selected.

Diffie-Hellman Groups

Required. Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

Key Life

Required. Select the PFS key life. Select Seconds, KBytes, or Both.

  • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
  • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
  • If Both is selected, type the number of seconds and the number of KB.

Auto Keep Alive

Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

DHCP-IPsec

Optional. The default is deselected.

Quick Mode Selector

Local Address

Select Subnet, IP Range, IP Address, or Named Address.

  • If Subnet is selected, enter an IP address and netmask.
  • If IP Range is selected, enter the first IP address and the last IP address in the range.
  • If IP Address is selected, enter an IPv4 address.
  • If Named Address is selected, select from the drop-down list.

Remote Address

Select Subnet, IP Range, IP Address, or Named Address.

  • If Subnet is selected, enter an IP address and netmask.
  • If IP Range is selected, enter the first IP address and the last IP address in the range.
  • If IP Address is selected, enter an IPv4 address.
  • If Named Address is selected, select from the drop-down list.

Local Port

Enter the number of the local port. The default is 0 The maximum value is 65535.

Remote Port

Enter the number of the remote port. The default is 0 The maximum value is 65535.

Protocol

Enter the protocol number. The default is 0 The maximum value is 255.
Previous
Next

Configuring VPNs

Use the VPN area to configure IPSec phase 1 and phase 2. You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

In this area, the following actions are available:

  • Show x Entries—use the drop-down menu to set the number of entries to display
  • Search—enter text to search for in the table
  • Create New—configure the IPSec phase 1 or the IPSec phase 2
  • Edit—change an existing IPSec phase-1 or IPSec phase-2 configuration
  • Delete—delete an IPSec phase-1 or IPSec phase-2 configuration

Creating an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
  4. Select Save.

Updating an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Edit.
  3. Update the values that have changed.
  4. Select Save.

Deleting an IPSec phase-1 or phase-2 configuration

  1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
  2. Right-click a configuration and select Delete.

IPSec phase-1 fields

The Create New IPSec Phase1 and Edit IPSec Phase1 forms contain the following fields:

Settings

Guidelines

Gateway Name

Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

Comments

Type an optional description. The value is a string with a maximum of 255 characters.

Remote Gateway

Required. Select Static IP Address, Dialup user, or Dynamic DNS.

IP Address

Required if you select Static IP Address. Type the IPv4 address.

Dynamic DNS

Required if you select Dynamic DNS. Type the fully qualified domain name.

Local Interface

Required. Select an interface from the drop-down list or select any.

Mode

Required. Select Main or Aggressive for the phase-1 mode.

Authentication Method

Required. Select Pre-shared Key or Signature for the authentication method.

Pre-shared Key

If Pre-shared Key is selected, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

User Group

If Pre-shared Key is selected, this field is available but optional. Enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers.

Certificate Name

If Signature is selected, this field is available but optional. Select a certificate from the drop-down list.

Peer Options

If Signature is selected, this field is available but optional. Select Any peer id or One peer id.

peer id

If One peer id is selected, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

Advanced...(XAUTH, NAT-traversal, DPD)

Local Gateway IP

Select Specify or Main Interface IP. If you select Specify, type the IPv4 address in the field.

P1 Proposal

Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

Diffie-Hellman Groups

Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

Key Life

Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172800 seconds. The default is 86400.

Local ID

A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID uniquely identifies one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. Type a string with a maximum of 63 characters.

XAuth

Select Disable or Client for the XAUTH type. The default is Disable.

NAT-traversal

Select Disable, Enable, or Forced. The default is Enable.

Keep Alive Frequency

If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds). The default is 10. The value range is 10-900.

Dead Peer Detection

Select Disable, On Idle, or On Demand.

IPSec phase-2 fields

The Create New IPSec Phase2 and Edit IPSec Phase2 forms contain the following fields:

Settings

Guidelines

Tunnel Name

Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

Phase 1

Required. Select an IPSec Phase-1 configuration.

Advanced

P2 Proposal

Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

Replay Detection

Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. The default is selected.

Perfect forward secrecy (PFS)

Select to enable or disable perfect forward secrecy (PFS). Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever the key life expires. The default is selected.

Diffie-Hellman Groups

Required. Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

Key Life

Required. Select the PFS key life. Select Seconds, KBytes, or Both.

  • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
  • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
  • If Both is selected, type the number of seconds and the number of KB.

Auto Keep Alive

Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

DHCP-IPsec

Optional. The default is deselected.

Quick Mode Selector

Local Address

Select Subnet, IP Range, IP Address, or Named Address.

  • If Subnet is selected, enter an IP address and netmask.
  • If IP Range is selected, enter the first IP address and the last IP address in the range.
  • If IP Address is selected, enter an IPv4 address.
  • If Named Address is selected, select from the drop-down list.

Remote Address

Select Subnet, IP Range, IP Address, or Named Address.

  • If Subnet is selected, enter an IP address and netmask.
  • If IP Range is selected, enter the first IP address and the last IP address in the range.
  • If IP Address is selected, enter an IPv4 address.
  • If Named Address is selected, select from the drop-down list.

Local Port

Enter the number of the local port. The default is 0 The maximum value is 65535.

Remote Port

Enter the number of the remote port. The default is 0 The maximum value is 65535.

Protocol

Enter the protocol number. The default is 0 The maximum value is 255.
Previous
Next